It was my understanding that incomplete/insufficient data (ie, sessions where a few packets were let through, but not enough for an app-id) would match the first allow rule with a service of any (or an allow rule with an app that happens to have the same default port). In his screenshot it seems they are matching a deny rule, which is weird -- although I could've been wrong in my thinking. Should they match a deny rule?
... View more